hello there to the ethical hacker community, at the start of the attached file there is code that i found to all .php files that exist on a site that was hacked. If the code seems interesting to anyone, some explanation on what the code does would be very helpful so i can secure my site.

First of all thanks for the reply, i know this code is malicious because the site was hacked several times and many strange things happened, you know like frontpage replacement from hackers and thiings like that. Secondly because the site is built on joomla and i can distinguish (so can everyone who has been working with joomla) the code that exists on a normal joomla .php page from code that was manually inserted. You can also notice this, the joomla code starts with the joomla credits comments (at line 2!!!). Can you tell what the first part of code (the one that is not well lined out well and is before the joomla credits comments) is for? Also if you can see it uses code encoding and decoding, i don't know, i can post also a normal index.php to view the difference

I forgot to mention that this code has been placed to all .php pages of the site, that is not very common don't you think? This is actually a professional real hack and i think it is very interesting to be investigated how this was done...

I've no experience with Joomla, so apologises if this is overly generic. If you can post what the file should be, or just outline which code is added/modified that will help.

However, whilst this may be a result of a compromise, I'd not expect the code you've found to be the first point of intrusion, as any attacker would already need a foothold on the server to be able to add/alter any of your existing source.

I'd strongly suggest a thorough review of server logs, access, user etc. (basically the usual candidates), as well as a security audit of the code hosted on the site.

Is this site the only web application running on the server, or is it shared? If shared, it could be that the fault doesn't existing within your application, but a weakness on a different site has allowed a malicious user to system access to modify source code of otherwise secure web apps.

I am posting an original ("clean") index.php file of joomla as it should normally be.It is obvious that this part of code shouldn't be there, but even if someone claims that this code is not malicious it means that he or she understands what this code does. So please if you will explain to me too.Andrew i know that is not the first point of intrusion, and i know also that joomla has a lot of known vulnerabilitites, but i see a piece of code on the files of a site and i am curious what this does and how.

Finally, the edited index file looks like to calls a function to get a gzipped copy of the configuration file.

From my knowledge of Joomla this could be legit (if you're seeing it across multiple systems, any chance you've just upgraded Joomla?). But at worst looks like a data leakage issue, I'd still suggest focusing on locating the original compromise, this looks to be more a symptom than a cause.

I agree that is the symptom and not the cause. I would like to say again that this code has been inserted to all php pages, the number of those is very large. As for the files you mentioned Andrew helper.php and the other one, yes these files are very common to joomla.So only someone that would understand what the code does per line could help right now. I am not sure but the first big part looks like a shell to me.